Effective Date: [01.01.2025]

This Privacy Policy governs the manner in which LustMonster (“we”, “our”, “us”) collects, uses, maintains, and discloses information collected from users (“User” or “you”) of the website https://lustmonster.com (“Website”). This policy applies to the Website and all products and services offered by LustMonster. We are fully committed to protecting your privacy and operating in compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and all applicable international and local data protection laws.

1. Information We Collect

LustMonster collects specific categories of information to deliver orders, secure our platform, comply with legal requirements, optimize customer experience, and protect our business operations. All data collection is governed by applicable laws, including, but not limited to, the General Data Protection Regulation (EU) 2016/679 (GDPR), California Consumer Privacy Act (CCPA), UK GDPR, and relevant international legislation.

We do not collect any data beyond what is necessary for the legitimate functioning of our services. All collection is conducted based on consent, contractual necessity, legal obligation, or legitimate business interest, as further detailed below.

1.1 Personal Data

Personal data refers to any information that can be used to directly or indirectly identify a natural person. LustMonster collects such data only when you actively interact with our website or services.

This includes, but is not limited to:

• Full legal name – Required for accurate billing, tax documentation, and shipping label generation. It may be used in the case of identity verification during high-risk transactions.
• Email address – Used for transactional updates (order confirmation, shipping status, return processing), customer service communication, optional marketing if you have opted in, and legal correspondence in cases involving fraud, disputes, or account-related actions.
• Physical addresses
  • Shipping address: Required for product delivery.
  • Billing address: Used for tax calculation, card verification, and fraud screening. In some jurisdictions, stored to meet fiscal recordkeeping requirements (e.g., EU VAT, US sales tax).
• Phone number – Optional but encouraged for delivery coordination. Required by certain carriers or customs authorities in specific countries. Not used for marketing purposes unless explicitly consented to.
• Order comments or contact messages – Any free-text you submit (including personalization notes, customer inquiries, or product feedback) may be retained as part of your user history and may be reviewed manually if relevant to operational or compliance activities.

We may also log internally any user-submitted data relevant to regulatory or reputational risk, including but not limited to abuse reports, false claims, or threat activity. These are retained under legitimate interest grounds and may be used in defense against fraudulent actions.

All personal data is stored in encrypted environments with strict access control. Our internal staff are trained on data protection protocols and bound by confidentiality agreements. Access is role-based and logged.

Sensitive Data

We explicitly do not collect or process any special categories of personal data as defined under Article 9 of the GDPR, including but not limited to data concerning racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health status, or sexual orientation.

We do not request nor require any information about your personal preferences, sexual identity, or medical conditions for purchase or site usage. If such data is ever submitted voluntarily (e.g., via product reviews or feedback forms), it will be treated as unsolicited and removed where technically feasible.

1.2 Non-Personal Data

Non-personal data refers to information that, on its own, does not directly identify an individual, but helps us understand how our website is used and how it performs technically.

We automatically collect the following types of non-personal information when you interact with our website:

• Device specifications – Type (mobile/desktop/tablet), OS version, screen resolution, hardware capabilities.
• Browser data – Type, version, language setting, and compatibility headers.
• Session behavior – Navigation paths, page visit duration, bounce rates, scroll depth, click sequences.
• Geographic indicators – Approximate country or region based on anonymized IP lookups, used strictly for content delivery and localization (currency, tax zones, language defaults).
• Time zone and UTC offset – Used to optimize display of order timelines, email timestamps, and checkout consistency.

This data is collected using first-party cookies, server-side analytics, and edge-level tracking technologies. It is fully anonymized wherever feasible and stored in aggregate for business intelligence purposes.

We do not attempt to retroactively associate anonymized behavior with a specific user unless a security investigation or legal process requires such identification.

Non-personal data may also be used in algorithmic fraud analysis, automated abuse detection, bot rate-limiting, and performance optimization.

1.3 Payment Data

LustMonster does not directly process or store full payment credentials such as complete card numbers, CVV codes, or account passwords. All financial data is securely processed by third-party payment gateways that are fully PCI-DSS Level 1 certified.

However, for each transaction, we may collect and retain limited payment-related metadata necessary to support transactional integrity, risk mitigation, chargeback defense, and financial audit trails. This may include:

• Card brand and issuing bank metadata – To support compatibility and fraud analysis.
• Last 4 digits of the card number – Displayed only in your account history or on support inquiries to help you identify past purchases.
• Billing ZIP/postal code – Used as an anti-fraud metric and for accurate tax calculations.
• Transaction reference IDs – Provided by payment processors for reconciliation and customer service purposes.
• Digital wallet provider or third-party ID – (e.g., PayPal, Apple Pay, Google Pay), including pseudonymous identifiers associated with your payment profile.

In case of refund requests, reversals, or fraud claims, this data may be reviewed by internal risk teams and shared with issuing banks, payment platforms, or legal authorities as required.

We retain these records for a minimum of 7 years, in compliance with financial reporting obligations and statutory limitation periods for dispute resolution.

1.4 Automated Data Collection Technologies

To protect our infrastructure, improve user experience, and comply with security standards, we deploy a range of automated tools that monitor, analyze, and respond to behavior patterns on our Website. These may include:

• Cookies and session identifiers – Used to maintain login states, cart contents, and UI language.
• Tracking pixels – Used for opt-in email tracking (e.g., open and click behavior) and campaign performance.
• Web beacons and invisible trackers – Used in transactional emails to ensure deliverability and engagement auditing.
• Browser fingerprinting – May be used in limited cases as part of automated fraud prevention (e.g., detection of mass account creation, proxy usage).
• JavaScript-based monitoring scripts – Employed to detect unusual interaction sequences or injection behavior that may indicate automated bots or malicious scripts.

Third-party tools used under strict confidentiality agreements and lawful processing bases include:

• Google Analytics (with IP anonymization enabled)
• Meta Pixel (only if explicit opt-in consent is given)
• Shopify analytics engine
• Cloudflare security suite (including bot management, threat scoring, and WAF logging)

These systems do not collect sensitive personal data and are configured to avoid overreach. You may opt out of non-essential cookies via our Cookie Consent Manager or through your browser settings.

We log all automated activity related to high-risk events (e.g., repeated failed logins, checkout injection attempts, abnormal cart behavior) in tamper-proof audit logs for forensic analysis.

1. How We Use the Information

LustMonster processes personal and non-personal data only for lawful, specific, and limited purposes, in accordance with the principles set forth in Article 5 of the General Data Protection Regulation (GDPR) and applicable global privacy frameworks. Every data processing activity is documented, risk-assessed, and justified based on one or more of the following legal bases: contractual necessity, legal obligation, explicit consent, or legitimate interest.

Below, we outline the full scope of our data usage operations.

2.1 Order Processing and Fulfillment

We use your personal and transaction data to:

• Validate and confirm incoming orders
• Calculate shipping rates and assign carriers
• Generate invoices and packing slips
• Notify you of order status and shipment tracking
• Ensure successful delivery and resolve delivery exceptions

If you provide incorrect or incomplete shipping data, we may use your email or phone (if available) to contact you for clarification. Failure to respond may result in delays or cancellation.

Certain delivery details may be shared with logistics providers, including your name, address, phone number (if provided), and package contents as required by customs in certain jurisdictions. This is governed by the shipping provider’s own privacy and legal framework.

2.2 Payment Verification and Fraud Prevention

We use payment metadata (see Section 1.3) to:

• Screen transactions for signs of payment fraud, including velocity attacks, card testing, and duplicate orders
• Comply with anti-money laundering (AML) and Know Your Customer (KYC) regulations where applicable
• Assist with dispute resolution in case of chargebacks or unauthorized payment claims

We may flag and cancel high-risk orders automatically or manually if they match known fraud patterns or exhibit inconsistent metadata (e.g., mismatched IP, location anomalies, anonymous proxy use). In cases of suspected fraud or abuse, associated user data may be retained beyond the standard retention period under legitimate interest.

2.3 Customer Support and Incident Resolution

When you contact us via email, chat, or contact forms, we retain all correspondence and metadata associated with your inquiry. This enables us to:

• Verify your identity
• Review past orders or previous issues
• Provide accurate technical or logistical assistance
• Resolve disputes, refund requests, or quality complaints

All support interactions are logged for internal accountability and training purposes. We may anonymize or archive support records after the applicable retention period.

2.4 Legal Compliance and Regulatory Reporting

We may process or retain your personal data if required to:

• Comply with tax reporting obligations (e.g., VAT MOSS, US state sales tax, EU e-commerce directives)
• Cooperate with law enforcement or regulatory authorities under subpoena, court order, or lawful warrant
• Document consent and transaction data for legal defense (e.g., in consumer protection complaints or civil litigation)
• Maintain records required by statutory retention laws (e.g., bookkeeping, warranty handling, invoice archiving)

No disclosure of personal data to public institutions will occur unless strictly mandated by law or as part of a legitimate legal process.

2.5 Communications and Service Messaging

We use your contact information to send essential service communications such as:

• Order confirmations
• Shipping notifications and tracking links
• Password reset instructions
• Important updates about changes to policies, services, or platform status

These emails are transactional and do not require prior consent. You cannot opt out of essential service messages unless you delete your customer account entirely.

2.6 Optional Marketing and Promotional Communication

We may send marketing emails or promotional offers only if you have explicitly opted in via:

• Newsletter subscription forms
• Checkbox at checkout
• Manual consent via account settings or support request

Marketing messages may include:

• Product announcements
• Discount codes
• Stock updates for requested or backordered items
• Thematic product collections or educational blog content

All marketing communication includes a clear unsubscribe link in compliance with the CAN-SPAM Act (US), Privacy and Electronic Communications Regulations (UK), and ePrivacy Directive (EU).

We do not engage in cold email marketing or third-party list purchases. You will never receive marketing emails from us unless you actively opted in.

2.7 Analytics and Service Optimization

We process non-personal usage data to:

• Analyze sales trends and seasonal demand
• Optimize product sorting, recommendations, and navigation structure
• Identify broken links, outdated content, or user flow bottlenecks
• Measure advertising campaign performance (only if you previously consented to tracking cookies)

All analytics data is anonymized where possible and never used to create behavioral profiles or sell to third parties. We do not perform automated decision-making or profiling under GDPR Article 22.

2.8 Security Monitoring and Abuse Prevention

We may log and process data related to:

• Suspicious login attempts
• Abuse of promotional codes
• Tampering with checkout scripts or cart manipulation
• Scraping or rate-limiting violations
• Attempts to bypass geo-restrictions or IP blocks

Such data is collected automatically and reviewed by automated systems or internal risk teams. It is retained for up to 36 months for evidentiary and mitigation purposes. Data may be shared with hosting providers, CDN security layers (e.g., Cloudflare), and threat intelligence vendors under strict agreements.

In confirmed cases of abuse, we reserve the right to blacklist IP ranges, payment tokens, or device fingerprints permanently.

2.9 Business Intelligence and Product Development

We may use anonymized aggregate data to:

• Forecast inventory requirements
• Test new product concepts based on category interest
• Segment customer demand across geographies
• Support supply chain optimization and vendor negotiations

This usage does not involve personally identifiable information and cannot be reversed into individual profiles.

1. Legal Basis for Processing (GDPR)

This section applies specifically to individuals located in the European Economic Area (EEA), the United Kingdom (UK), and Switzerland, in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and its national implementations. It also reflects principles from the UK GDPR and other global privacy frameworks that require lawful grounds for data processing.

Every processing activity performed by LustMonster is mapped to one or more of the lawful bases outlined in Article 6(1) of the GDPR. No data is collected or processed without at least one legitimate justification under applicable law.

We do not rely on implicit consent or implied acceptance unless explicitly permitted by law (e.g., essential cookies or session-based data required to fulfill a transaction).

3.1 Contractual Necessity – GDPR Art. 6(1)(b)

We process your personal information when it is necessary to fulfill a contract with you or to take steps at your request prior to entering into a contract. This includes, but is not limited to:

• Accepting and processing orders
• Managing payments and refunds
• Delivering goods
• Providing customer support related to placed orders
• Verifying your identity for account-related matters

If you decline to provide the data required under this basis, we may be unable to process your order or provide the requested service.

3.2 Legal Obligation – GDPR Art. 6(1)(c)

We process certain data where we are legally obligated to do so. This includes obligations under:

• Tax and customs regulations (e.g., VAT invoicing, import/export declarations)
• Accounting and recordkeeping laws (e.g., for audit compliance)
• Consumer protection legislation
• Law enforcement cooperation (e.g., fraud investigations, data preservation upon subpoena)

This legal basis may apply even after an order has been completed or your account has been deactivated.

3.3 Legitimate Interests – GDPR Art. 6(1)(f)

We process certain data under the legal basis of our legitimate interests, provided that such interests are not overridden by your fundamental rights and freedoms. This includes activities such as:

• Detecting and preventing fraud, abuse, or unauthorized access
• Logging security events and failed login attempts
• Protecting the integrity of our IT infrastructure
• Defending against legal claims or regulatory enforcement
• Improving our products, services, and user experience
• Anonymized analytics and performance metrics
• Tailoring site content and inventory management based on demand patterns

We perform documented balancing tests (LIA – Legitimate Interest Assessments) to ensure that our interests are proportionate and do not infringe upon your rights.

You have the right to object to processing under this basis at any time, unless we demonstrate compelling legitimate grounds to continue or the processing is required for legal claims.

3.4 Consent – GDPR Art. 6(1)(a)

We will only process your personal data based on freely given, specific, informed, and unambiguous consent where none of the other bases apply or where consent is legally required. Examples include:

• Opting in to receive promotional emails or newsletters
• Accepting non-essential cookies or tracking pixels
• Participating in customer surveys, polls, or market research
• Allowing product waitlist or restock notifications
• Using certain third-party integrations that require profile linking

You have the right to withdraw consent at any time, without penalty, by:

• Clicking the unsubscribe link in marketing emails
• Managing your cookie preferences via the Cookie Banner
• Contacting us at privacy@lustmonster.com with a clear request

Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal.

3.5 Vital Interests and Public Interest – GDPR Art. 6(1)(d) and (e)

We do not typically rely on these bases. However, if required in extreme circumstances (e.g., to protect life, prevent physical harm, or comply with urgent public interest disclosures ordered by a competent authority), we reserve the right to process data accordingly and to the minimum extent necessary.

If you are unsure under which legal basis a specific processing activity falls, you may contact our Data Protection Officer (DPO) at privacy@lustmonster.com to request clarification. We maintain a detailed Article 30 Record of Processing Activities (ROPA), available for review by competent authorities under confidentiality.

1. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or any other jurisdiction that enforces the principles of the General Data Protection Regulation (GDPR), you are entitled to a number of rights with respect to your personal data, as defined in Articles 12–23 of the GDPR.

LustMonster is fully committed to honoring and enabling the exercise of these rights, subject to appropriate identity verification and within the timelines prescribed by law.

Requests may be submitted via email to privacy@lustmonster.com. We may ask for additional information to confirm your identity before processing your request. We reserve the right to reject clearly abusive, repetitive, or unfounded requests under Article 12(5) GDPR.

4.1 Right to Access (Art. 15)

You have the right to request confirmation of whether we process your personal data and, if so, to receive a copy of that data along with the following:

• The purposes of processing
• The categories of personal data involved
• The recipients (or categories of recipients) to whom the data has been or will be disclosed
• The intended data retention period
• Information on your rights and how to exercise them
• The source of the data, if not collected directly from you
• Details of any automated decision-making, if applicable

You may request this information free of charge once per calendar year. Additional requests may incur a reasonable administrative fee.

4.2 Right to Rectification (Art. 16)

If your personal data is inaccurate, incomplete, or outdated, you have the right to request correction or completion.

You can also update certain information directly via your customer account, if applicable.

4.3 Right to Erasure ("Right to be Forgotten") (Art. 17)

You may request the deletion of your personal data under any of the following conditions:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent (where applicable), and there is no other legal basis for processing
• You object to processing, and there are no overriding legitimate grounds
• The data was unlawfully processed
• The data must be erased to comply with a legal obligation

Please note:
We may refuse deletion where the data is required for:

• Compliance with a legal obligation (e.g., tax recordkeeping)
• The establishment, exercise, or defense of legal claims
• Fraud prevention or abuse investigation
• Fulfilling a contract still in progress (e.g., active order, pending refund)

4.4 Right to Restriction of Processing (Art. 18)

You may request temporary suspension of data processing if:

• You contest the accuracy of the data (until verified)
• The processing is unlawful and you request restriction instead of deletion
• We no longer need the data, but you require it to establish or defend a legal claim
• You have objected to processing, pending verification of overriding grounds

During restriction, we will not process the data in any way except to store it or use it for legal claims, with your consent, or to protect another person’s rights.

4.5 Right to Data Portability (Art. 20)

Where processing is based on consent or contract and is carried out by automated means, you may request a copy of your personal data in a structured, commonly used, and machine-readable format (e.g., JSON, CSV). You may also request direct transmission to another data controller, where technically feasible.

4.6 Right to Object (Art. 21)

You have the absolute right to object to direct marketing at any time. Once exercised, we will stop all marketing-related communication immediately.

You may also object to processing based on our legitimate interests or performance of a task in the public interest. If we cannot demonstrate compelling legitimate grounds that override your rights, we will cease processing.

4.7 Rights Related to Automated Decision-Making (Art. 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant impacts on you.

We do not engage in automated decision-making that falls under this category. If we introduce such processing in the future, it will be fully disclosed and subject to separate opt-in consent.

4.8 Right to Lodge a Complaint (Art. 77)

If you believe that your rights under the GDPR have been violated, you have the right to lodge a formal complaint with your local Supervisory Authority (SA). A list of SAs by country is available at: https://edpb.europa.eu/about-edpb/board/members_en

We encourage you to contact us first so we can address your concern directly and resolve it informally, if possible.

If you wish to exercise any of the rights described above, please contact our Data Protection Officer (DPO) at privacy@lustmonster.com. We aim to respond to all legitimate requests within 30 days, as per Article 12(3) of the GDPR.

1. Your Rights Under the California Consumer Privacy Act (CCPA/CPRA)

If you are a resident of the State of California, you are entitled to certain rights under the California Consumer Privacy Act (CCPA), as amended and expanded by the California Privacy Rights Act (CPRA), effective January 1, 2023.

This section applies solely to individuals defined as "consumers" under Cal. Civ. Code § 1798.100 et seq., and supplements the information provided elsewhere in this Privacy Policy. It reflects our commitment to transparency and lawful handling of personal information, including compliance with obligations related to data disclosure, correction, deletion, opt-outs, and non-discrimination.

5.1 Categories of Personal Information We Collect

In the past 12 months, LustMonster has collected the following categories of personal information about California residents:

We do not collect:

• Sensitive personal data as defined in Cal. Civ. Code §1798.140(ae) (e.g., racial/ethnic origin, religion, genetic data)
• Biometric or health data
• Government identifiers (e.g., SSN, passport numbers)

We do not sell personal information, nor do we knowingly allow third parties to access your data for cross-context behavioral advertising without explicit opt-in consent.

5.2 Right to Know (Access and Disclosure)

You have the right to request disclosure of the following, up to two times per 12-month period:

• The categories of personal information we have collected about you
• The specific pieces of personal information collected
• The categories of sources from which the information was obtained
• The business or commercial purpose for collecting or sharing the information
• The categories of third parties with whom your information was shared

Requests may be submitted to privacy@lustmonster.com with subject line: "CCPA Access Request". We will respond within 45 calendar days, extendable once by an additional 45 days where reasonably necessary.

5.3 Right to Request Deletion

You may request that we delete personal information we have collected from you. However, we may deny your request in whole or in part if retaining the information is necessary for us or our service providers to:

• Complete a transaction or fulfill a contract with you
• Detect security incidents or protect against malicious activity
• Comply with a legal obligation (e.g., tax law, fraud investigations)
• Exercise or defend legal claims
• Maintain internal usage solely for lawful, internal uses that are compatible with the context in which the information was provided

Deletion requests may be submitted to privacy@lustmonster.com with subject line: "CCPA Deletion Request".

5.4 Right to Request Correction

You may request correction of inaccurate personal information. We may require verification of your identity and supporting documentation to process the correction. This request may be denied if we determine that the contested information is accurate or if it would violate legal recordkeeping requirements.

5.5 Right to Opt Out of Sale or Sharing of Personal Data

LustMonster does not sell your personal data as defined under the CCPA. We also do not engage in cross-context behavioral advertising or share data with data brokers or ad networks.

If this ever changes, we will update this section and provide a clearly labeled “Do Not Sell or Share My Personal Information” link on our homepage in compliance with Cal. Civ. Code §1798.135.

5.6 Right to Limit Use of Sensitive Personal Information

We do not collect or process sensitive personal information for any purpose that would require a limitation right under Cal. Civ. Code §1798.121. Therefore, we do not display a limitation mechanism under the CPRA.

5.7 Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights. Specifically, we will not:

• Deny you goods or services
• Charge you different prices or rates
• Provide you with a different level or quality of service
• Suggest that you may receive a different level of service for exercising your rights

5.8 Verification of Requests

We may verify your identity before fulfilling any request to access, correct, or delete personal information. This may include confirming personal identifiers (email, order history) or requesting additional documentation. If we cannot verify your identity, we will not process your request.

You may also authorize an agent to make a request on your behalf. The agent must provide written permission signed by you or a valid power of attorney, along with verification of their identity.

5.9 Contact for CCPA Inquiries

For all CCPA-related inquiries or to exercise your rights, contact:

LustMonster CCPA Compliance
Email: privacy@lustmonster.com
Subject: “CCPA Request”
Response window: 45 calendar days from verified receipt

1. Cookies and Tracking Technologies

LustMonster uses cookies and other tracking technologies on its Website to enable core functionality, protect the security of our platform, analyze performance, and enhance the customer experience. This section explains how and why we use these technologies, what categories they fall under, and how you can manage or disable them according to your preferences and legal rights.

Our use of cookies complies with the ePrivacy Directive (2002/58/EC), the General Data Protection Regulation (GDPR), the UK Privacy and Electronic Communications Regulations (PECR), the California Consumer Privacy Act (CCPA/CPRA), and related international legislation.

6.1 What Are Cookies?

Cookies are small text files placed on your device (computer, mobile phone, tablet) by your browser when you visit a website. Cookies allow a website to recognize a user’s device, store certain information about preferences or interactions, and persist limited state between sessions.

Cookies may be:

• First-party cookies: set by LustMonster
• Third-party cookies: set by external services integrated into our Website
• Cookies may also be:
• Session cookies: deleted when you close your browser
• Persistent cookies: stored on your device for a defined period or until manually deleted

6.2 Categories of Cookies We Use

We group cookies into four categories, in line with international standards:

6.2.1 Strictly Necessary Cookies

These are essential for the Website to function. They cannot be disabled and do not require consent under GDPR Art. 5(3) or ePrivacy rules. Examples include:

• Authentication tokens
• Cart session IDs
• Security tokens
• Load balancing cookies

6.2.2 Performance and Analytics Cookies

Used to collect anonymized information about how visitors interact with the site (e.g., most visited pages, error messages, time on page). This helps us improve layout, flow, and usability. We use:

• Google Analytics (IP anonymized)
• Shopify Analytics
• Hotjar or Clarity (optional, with consent)

These cookies are only activated after opt-in consent is given where required by law (e.g., EU/UK).

6.2.3 Functional Cookies

These cookies enhance the functionality of the Website by remembering your choices, such as:

• Language preference
• Currency settings
• Region-specific product displays

While not strictly required, disabling them may degrade performance or experience.

6.2.4 Targeting and Advertising Cookies

These may be used for audience segmentation or advertising campaign performance tracking. LustMonster does not use third-party advertising networks or behavioral tracking without prior, informed, and affirmative consent.

If and when such cookies are introduced, a “Manage Cookies” banner will allow you to accept or decline their use in full compliance with applicable consent standards (GDPR, CPRA §1798.140).

6.3 Third-Party Services That May Set Cookies

Depending on your usage, the following services may set cookies via embedded scripts, pixels, or SDKs:

We regularly audit all third-party scripts to ensure compliance and minimal intrusiveness.

6.4 Cookie Duration

Each cookie has its own lifespan, which may range from a few minutes (e.g., session cookies) to several months (e.g., persistent preferences). We configure all cookies to expire as soon as their operational purpose is complete.

All persistent cookies are subject to regular deletion cycles as part of our data minimization policy.

6.5 How to Manage Cookies

You can manage or delete cookies at any time via your browser settings. Most browsers allow you to:

• View existing cookies
• Delete all or selected cookies
• Block third-party cookies
• Set preferences for specific websites
• Disable cookies entirely (not recommended)

Browser-specific instructions:

• Google Chrome
• Mozilla Firefox
• Safari
• Microsoft Edge

Note: Blocking all cookies may prevent you from using key features of our Website, including checkout, login, and account access.

6.6 Consent Management

Users located in the EEA, UK, or jurisdictions with comparable cookie laws will be presented with a cookie banner on first visit, in compliance with GDPR Art. 7 and Recital 32.

This banner:

• Clearly states the purpose of each cookie category
• Allows granular control over preferences
• Records and stores consent logs for legal compliance
• Provides a link to update or revoke consent at any time

Consent is valid for 12 months or until withdrawn. No non-essential cookies are deployed before consent is obtained.

6.7 Do Not Track (DNT) Signals

At this time, our Website does not respond to browser-level Do Not Track (DNT) signals, as there is no universally accepted technical standard for interpreting them. However, users can still manage tracking preferences via cookie settings, browser controls, or opt-out links provided above.

1. Third-Party Service Providers

In the course of operating our business, we engage a limited number of external service providers to assist with specific technical and operational functions. These providers may process your personal data on our behalf, under strict legal and contractual obligations. We only work with partners who can demonstrate compliance with applicable data protection laws, including GDPR, CCPA/CPRA, and relevant cybersecurity standards.

We do not use any external platforms that retain or control our user data. All integrations are self-managed and modular.

7.1 Categories of Providers and Their Functions

7.1.1 Infrastructure and Security

We utilize infrastructure-level providers for server hosting, traffic routing, and protective systems. These services:

• Secure the connection between you and our site using SSL/TLS encryption
• Monitor for suspicious traffic patterns and attempted intrusions
• Ensure uptime, redundancy, and fast global access

Such providers do not access personal data directly, unless legally compelled under exceptional circumstances (e.g., criminal investigation orders).

7.1.2 Payment Processors

All payments made through our Website are processed via third-party providers who operate independently from us and are fully certified under PCI-DSS Level 1. These services include, but are not limited to:

• Digital wallets (e.g., PayPal)
• Credit/debit card processors (e.g., via secure iframe or redirect)
• Alternative payment providers (e.g., regional gateways)

We do not collect or store your full card number, CVV code, or payment credentials. We receive only non-sensitive transaction metadata (e.g., last 4 digits, status, timestamps) necessary for fulfillment, refunds, and fraud prevention.

7.1.3 Shipping and Logistics

To fulfill and deliver your orders, we share limited shipping-related data with trusted carriers and logistics providers, including:

• Name
• Shipping address
• Phone number (if required for delivery)
• Email address (optional, for tracking updates)
• Package contents where required by customs authorities

These partners are authorized to use your data only for delivery purposes and are contractually prohibited from storing or reusing it for marketing or analytics.

7.1.4 Email and Communication Services

We use specialized email delivery systems to ensure fast and reliable communication. These services may handle:

• Transactional messages (e.g., order confirmations, password resets)
• Customer support correspondence
• Newsletter delivery (only where consent is provided)

All providers operate under strict data protection agreements and do not have permission to reuse or analyze your messages for their own purposes.

7.1.5 Analytics and Site Optimization

With your consent (where required), we may use third-party analytics tools to understand aggregated user behavior on our site. These tools collect anonymized technical data such as:

• Page views
• Device/browser type
• Time spent on site
• Click interactions

These services do not collect identifying information unless you explicitly allow it through a tracking consent banner.

7.1.6 Legal, Financial and Compliance Partners

We may share data with:

• Licensed accountants, tax advisors, and auditors (for legal reporting)
• Legal counsel (in case of dispute or fraud investigation)
• Law enforcement or regulatory authorities (only when required by law)

Any such disclosures are strictly limited, logged, and legally justified under our compliance obligations.

7.2 Data Transfer and Storage Locations

Some of our partners operate internationally. Where applicable, we ensure that any cross-border data transfer is:

• Covered by Standard Contractual Clauses (SCCs) or other legal mechanisms under GDPR Chapter V
• Supported by enforceable Data Processing Agreements (DPAs)
• Subject to access logs, data encryption, and breach notification protocols

We do not work with partners who cannot demonstrate appropriate technical and legal safeguards.

7.3 No Uncontrolled Third-Party Access

We do not permit:

• Third-party marketing trackers
• Retargeting ad networks
• Embedded SDKs that collect personal information
• Third parties to retain, enrich, or repurpose data beyond the contracted scope

All external access is limited to what is necessary, justified, and auditable.

1. Data Retention

LustMonster retains personal and non-personal data only for as long as necessary to fulfill the purposes for which it was collected, to comply with applicable legal and regulatory obligations, to resolve disputes, and to enforce our contractual and operational rights. Retention periods are determined based on the principle of proportionality, business risk assessments, statutory requirements, and audit necessity.

We do not retain data indefinitely. All data categories are subject to scheduled reviews, and where legally and technically feasible, anonymization or secure deletion protocols are enforced.

8.1 Order and Transaction Data

Retention period: 7 years (standard), up to 10 years in some jurisdictions

Includes:

• Customer name, contact details, shipping and billing address
• Order contents, values, currency
• Payment reference and billing metadata
• Fulfillment records (carrier, tracking)
• Refunds, returns, chargeback disputes

Legal basis: Compliance with tax laws, accounting standards, anti-fraud requirements, and statutory limitation periods for commercial claims.

Note: Deletion of this data prior to expiration is not permitted under financial and legal recordkeeping obligations.

8.2 Account Data (Registered Customers)

Retention period: Until account is deleted or inactive for 36 months

Includes:

• Login credentials (hashed)
• Saved addresses, order history
• Communication preferences
• Wishlist or back-in-stock alerts

You may delete your account at any time via request to privacy@lustmonster.com. Account deletion will anonymize or erase all stored data, except where order-related data must be retained under Article 6(1)(c) GDPR or applicable law.

8.3 Customer Support Communications

Retention period: 24 months from last interaction

Includes:

• Support tickets and email correspondence
• Live chat transcripts (if applicable)
• Internal resolution notes

We retain these for service history continuity, staff performance review, and legal defense in disputes. Communications containing threats, fraud attempts, or abusive behavior may be retained longer under legitimate interest grounds.

8.4 Marketing Data (Opt-In Subscribers)

Retention period: Until opt-out or inactive for 24 months

Includes:

• Name, email address
• Marketing preferences and consent status
• Engagement logs (opens, clicks)

You may opt out at any time by clicking the “Unsubscribe” link in our emails or by contacting privacy@lustmonster.com. Upon opt-out, your email is placed on a suppression list to prevent future contact, not deleted immediately, to comply with anti-spam laws (e.g., CAN-SPAM, PECR).

8.5 Analytics and Web Behavior Logs

Retention period: 12–36 months (aggregated, non-personalized)

Includes:

• Page views, click paths, bounce rates
• Anonymized IP ranges
• Device/browser metrics
• Campaign performance (non-PII)

Where technically feasible, analytics data is anonymized upon collection or automatically purged based on retention configuration within the analytics tool. No personal identifiers are retained beyond operational necessity.

8.6 Security Logs and Fraud Prevention

Retention period: 36–60 months (based on risk classification)

Includes:

• Login attempts and IPs
• Check out anomalies or velocity triggers
• Device fingerprinting data (if used)
• Order behavior flags

This data is retained to detect patterns of abuse, protect our systems, defend against chargeback fraud, and comply with security obligations under Article 32 of the GDPR. In case of confirmed abuse, records may be stored indefinitely for blacklist and litigation purposes.

8.7 Legal, Tax, and Regulatory Compliance Records

Retention period: As mandated by law, jurisdiction-dependent (typically 6–10 years)

Includes:

• VAT/Sales tax evidence
• Invoicing records
• Customs export/import declarations
• Consent logs for GDPR/CCPA
• Audit trails and legal correspondence

We are legally prohibited from deleting or altering such data before the expiration of the relevant retention period. Requests for deletion of this data will be respectfully denied with a written legal justification.

8.8 Backup Archives

Our systems generate encrypted backup copies of operational data at regular intervals for disaster recovery and business continuity purposes. These backups are:

• Stored securely with limited access
• Automatically rotated or purged based on a fixed retention schedule (typically 30–90 days)
• Not used for live processing
• Not accessible to third parties

Deletion of user data from production systems will be reflected in backup snapshots once the applicable cycle completes.

8.9 Data Deletion Requests

We honor all valid deletion requests, subject to legal and contractual retention obligations. If you request the erasure of your data, we will:

• Review the request within 30 days
• Remove or anonymize all non-exempt data
• Document the deletion process for audit purposes
• Inform you if any data cannot be deleted and why (e.g., pending legal dispute, tax compliance)

1. Security Measures

LustMonster implements a layered, risk-based security framework designed to ensure the confidentiality, integrity, and availability of all user data. Recognizing the sensitivity of the products we sell and the expectations of privacy from our customers, we treat security as a core function of our business, not an afterthought.

We do not claim to be unbreachable. However, we invest actively and continuously to minimize attack surface, detect anomalies early, and mitigate exposure in case of compromise.

9.1 Technical Controls

We employ the following safeguards across all production systems and interfaces:

• TLS 1.3 HTTPS Encryption – All traffic between your browser and our website is encrypted using modern cryptographic standards. This includes checkout, account login, and contact forms.
• Hardened Hosting Environment – Our server stack is isolated, firewall-protected, and regularly updated. Root access is limited to designated personnel under contract.
• Encrypted Data at Rest – All customer data in databases and logs is encrypted using AES-256 or equivalent encryption where supported.
• Hashed Credentials – User passwords are stored using strong, adaptive hashing algorithms (e.g., bcrypt), never in plaintext.
• WAF and DDoS Protection – Web Application Firewalls block malicious requests, bots, and known exploit patterns. Rate-limiting is enforced across all endpoints.
• Database Injection and XSS Protection – Input validation, output encoding, and security headers are implemented to protect against SQL injection, cross-site scripting, and other common web vulnerabilities.
• Automated Backups – Nightly encrypted backups are maintained off-site to allow full disaster recovery with minimal data loss.

9.2 Organizational Controls

• Access Controls – Internal access to customer or order data is limited strictly to staff with a legitimate operational need. Access is reviewed quarterly and revoked upon role change or contract termination.
• Confidentiality Agreements – All staff, contractors, and third-party providers with any access to sensitive data are bound by NDAs or data processing agreements (DPAs).
• Device Security Policy – Staff devices used for support, fulfillment, or admin work must be protected by up-to-date antivirus software, OS patches, and full-disk encryption.
• Logging and Audit Trails – Administrative actions are logged to provide accountability and to detect unauthorized activity.

9.3 Payment Security

We do not process or store full credit card numbers on our servers. All payment processing is delegated to certified, PCI-DSS Level 1 compliant third-party gateways. Payment data is transmitted directly between the customer and the gateway through secure, embedded interfaces.

For recurring billing or saved payment methods, we store only tokenized identifiers (e.g., masked card, token ID) as provided by the payment gateway.

9.4 Account Protection

While we take strong measures to protect user data on our systems, account security is also a shared responsibility. Users are expected to:

• Choose strong, unique passwords
• Not reuse credentials from other sites
• Contact us immediately in case of suspected account breach
• Avoid sharing login access with third parties

We provide password reset mechanisms using secure email verification. Account access may be temporarily disabled following multiple failed login attempts.

9.5 Incident Response Plan

In the event of a data breach, suspected system compromise, or confirmed unauthorized access, we commit to:

1. Immediately isolate and contain the breach
2. Investigate the scope and vector using forensic tools
3. Notify affected customers within 72 hours where required under GDPR, CCPA, or local law
4. Cooperate with legal authorities and payment providers as needed
5. Document the incident, resolution steps, and prevention improvements

We log and investigate all suspicious events, even if no confirmed breach occurs.

9.6 Vulnerability Disclosure Policy

Security researchers or users who discover vulnerabilities in our site or infrastructure are encouraged to report them to:
security@lustmonster.com

We pledge to:

• Acknowledge all good-faith reports within 7 business days
• Not pursue legal action against responsible disclosures made in line with responsible disclosure guidelines
• Credit researchers publicly (with consent), if the vulnerability is confirmed and fixed

1. Your Rights and Choices

We recognize that your data is yours. In compliance with applicable data protection laws, you have the right to access, manage, limit, or remove the personal information we hold about you. We provide reasonable means for you to exercise these rights, within a secure and verifiable framework.

Please note that, for legal, operational, or anti-fraud reasons, some data may be exempt from deletion or alteration where retention is mandated by law or by legitimate business interest.

10.1 Right to Access

You may request a copy of all personal data we have collected about you, including:

• Order history and billing records
• Shipping addresses
• Saved contact information
• Communication logs
• IP address records and user agent metadata

We will provide this data in machine-readable format within 30 days of receiving a verified request.

10.2 Right to Rectification

If any of your stored information is inaccurate or outdated, you may request correction. We will update incorrect or incomplete data upon verification of your identity and the new information.

Some fields (e.g., past shipping addresses or invoices) may be marked as “archived” rather than overwritten, for audit integrity.

10.3 Right to Erasure ("Right to Be Forgotten")

You may request that we permanently delete your personal data, including your account. Upon verified request, we will:

• Anonymize or delete all customer data not required by law
• Remove user login and credentials
• Revoke any saved tokens or marketing preferences
• Detach your order history from your name or contact info (where legally possible)

Exceptions apply where data must be retained for:

• Tax, accounting, or fraud prevention (typically 5–10 years under EU law)
• Legal defense in case of dispute
• Abuse of service (e.g., chargebacks, threats, policy violations)

We will explain clearly what we can and cannot erase.

10.4 Right to Restrict Processing

You may request that we limit how your data is used — for example, to prevent profiling, halt marketing contact, or pause processing during a dispute. We will implement technical and administrative restrictions accordingly.

10.5 Right to Object

You have the right to object to our processing of your data in the following cases:

• Direct marketing (opt-out always respected immediately)
• Profiling based on automated decision-making
• Processing based on “legitimate interest” grounds

Objections must be specific and based on personal context, as required under GDPR Article 21.

10.6 Right to Data Portability

You may request that your personal data be transferred to you or another controller in a structured, commonly used, machine-readable format (e.g., JSON, CSV, XML). We will facilitate this securely and without undue delay.

10.7 Right Not to Be Subject to Automated Decisions

We do not use fully automated decision-making that produces legal or similarly significant effects on users (e.g., algorithmic rejection of orders or blacklisting). Any risk scoring, fraud prevention, or verification processes are subject to human oversight.

10.8 How to Exercise These Rights

To submit a request related to any of the above rights, contact us via:

???? privacy@lustmonster.com
Please include:

• Your name
• The email address linked to your account or order
• A description of your request
• Proof of identity (we may require ID verification to protect your privacy)

We will respond within 30 calendar days. Complex requests may require up to 60 days with written notice.

10.9 Data Subject Rights Under Regional Laws

European Union (GDPR)

Residents of the European Economic Area (EEA) are covered under the General Data Protection Regulation (Regulation (EU) 2016/679). All rights listed above are enforceable by local data protection authorities.

You have the right to lodge a complaint with your national data protection authority if you believe your rights have been violated.

California (CCPA / CPRA)

If you are a resident of California, USA, you are entitled to specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:

• Knowing what personal information is collected and disclosed
• Opting out of the sale or sharing of your personal information
• Non-discrimination for exercising your privacy rights

We do not sell or rent personal data to third parties, as defined under CCPA.

1. International Transfers of Data

We are based in the European Union and store the majority of customer data within the EEA (European Economic Area). However, in some cases, your personal information may be transferred to, processed, or stored in countries outside of your jurisdiction, including jurisdictions that may not offer the same level of data protection as your own.

These transfers are limited, controlled, and performed only when operationally necessary — such as email delivery, payment token processing, infrastructure security, or legal support services.

We ensure that any such transfers are conducted in full compliance with applicable data protection laws, particularly the General Data Protection Regulation (GDPR), and are subject to appropriate legal safeguards.

11.1 Legal Grounds for Data Transfers

All transfers outside the EU/EEA are conducted under one or more of the following legal frameworks:

• Adequacy Decisions
  Where the European Commission has deemed a non-EU country to provide an adequate level of data protection (e.g., Japan, South Korea, UK, Canada), data may be transferred freely under GDPR.
• Standard Contractual Clauses (SCCs)
  In the absence of an adequacy decision, we use the most recent EU-approved SCCs as the legal basis for cross-border data transfers to service providers. These are contractually binding clauses that guarantee GDPR-equivalent safeguards, including rights enforcement and data minimization.
• Supplementary Measures
  Where required, we apply technical and organizational measures such as data encryption, role-based access, data minimization, and pseudonymization to strengthen the protection of exported data.
• Explicit Consent (where applicable)
  In rare cases where no other mechanism applies and the transfer is not essential for the contract, we may ask for your explicit consent before initiating a transfer.

11.2 Typical Transfer Scenarios

Without disclosing specific vendors or systems, here are the general categories of services that may involve limited data transfer:

• Payment Tokenization Services
  Token requests to payment providers (e.g., for processing USD or multi-currency transactions) may route through systems in the US or UK.
• Email and Communication Infrastructure
  Transactional or marketing emails may be routed through international relay or CDN systems (e.g., TLS SMTP providers with nodes in multiple jurisdictions).
• Cloud-based Anti-Fraud or Abuse Detection
  IP risk scoring or behavior analytics services may analyze hashed or pseudonymized data in data centers outside the EU, under SCC or equivalent mechanisms.
• Legal, Accounting, or Compliance Vendors
  In limited cases, for disputes or audits, anonymized or contractually bound data may be accessed by licensed legal or accounting consultants based abroad.

We do not allow uncontrolled third-party access to our systems, and all data exports are logged and monitored.

11.3 How We Minimize Cross-Border Exposure

We design our systems to reduce unnecessary exposure of user data, especially across borders.

To this end:

• We avoid integrations that require persistent or full replication of customer data outside the EU.
• We encrypt sensitive fields at rest and in transit (AES-256 and TLS 1.2+ respectively).
• We select processors with EU-based infrastructure where possible.
• We require data processors to confirm compliance with SCCs, ISO 27001, or equivalent standards.

11.4 Your Rights Regarding International Transfers

You may request:

• Information about the countries where your personal data is processed
• A copy of the applicable SCCs or contractual safeguards
• That we avoid transferring your personal data outside of your jurisdiction where not legally required

In some cases, exercising this right may limit or prevent the use of our services, such as order fulfillment or support communications.

To exercise any of these rights, contact us via privacy@lustmonster.com with the subject line “International Data Transfer Request”.

1. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, to comply with our legal obligations, to resolve disputes, to enforce our agreements, and to maintain the integrity and security of our services.

We have implemented a granular, category-based retention policy, with defined timelines and deletion protocols based on the nature of the data, its purpose, and regulatory requirements.

12.1 General Principles

• Purpose Limitation – Data is not retained indefinitely. Each category of data is mapped to a specific purpose and deleted or anonymized once that purpose is fulfilled.
• Data Minimization – Where possible, we use pseudonymization or anonymization to reduce data exposure, especially for inactive users or legacy transactions.
• Automated and Manual Processes – Data deletion is performed through a combination of automated scripts (e.g., nightly purges) and manual validation by authorized personnel where necessary.
• Audit Logs – For accountability, metadata regarding deletion (e.g., timestamp, user ID) is retained for auditing purposes in compliance with applicable law.

12.2 Retention Periods by Category

Below are our current standard retention durations unless otherwise required by law:

12.3 Exceptions and Legal Holds

Certain records may be retained beyond the above timeframes under specific legal conditions:

• Pending litigation, legal claims, or governmental inquiries
  Data may be retained until the matter is resolved or no longer actionable.
• Chargeback and fraud investigations
  We may retain transactional metadata or pseudonymized identifiers beyond normal limits to protect our interests.
• Regulatory audit compliance
  In jurisdictions requiring retention of tax or commerce records, we comply with the longer retention period required by local law.

In such cases, access to retained data is restricted and monitored.

12.4 User-Initiated Deletion

You may request the deletion of your account or specific data categories at any time by contacting:
privacy@lustmonster.com with the subject line “Data Deletion Request”.

We will respond within 30 calendar days, unless an extension is required by law or the request is complex. In case of legal restrictions (e.g., active transaction, tax audit), we will explain why certain data cannot be immediately erased.

Where deletion is not technically feasible, we will pseudonymize or encrypt the data so that it is no longer associated with your identity.

12.5 Retention of Aggregated or Anonymized Data

We may retain anonymized or aggregated datasets indefinitely for legitimate business purposes such as:

• Product research and development
• Statistical trend analysis
• Security performance benchmarking
• Inventory forecasting

Such data does not identify any individual and cannot be re-identified without external information we do not possess.

1. Children’s Privacy

Our website, products, and services are strictly intended for use by adults aged 18 and over, or the legal age of majority in your jurisdiction — whichever is higher.

We do not knowingly collect, solicit, store, or process personal information from anyone under the age of 18. If we become aware that we have inadvertently collected personal data from a minor without verified parental or legal guardian consent, we will take immediate steps to delete such information from our systems and disable any associated account or order.

13.1 Minimum Age Declaration

When accessing or using LustMonster.com, all users must explicitly confirm that they:

• Are at least 18 years old (21 years old in some places), or older if required by their local jurisdiction;
• Understand that the content and products offered are of an adult nature, potentially including sexually explicit material and fantasy-themed sex toys;
• Are not accessing the site or making purchases on behalf of a minor, even with their knowledge or consent.

We implement age-gating mechanisms and visible warnings to discourage access by underage individuals. Use of the site without meeting the age requirement constitutes a violation of our Terms of Service and may result in permanent IP-level or account-based restrictions.

13.2 Parental and Guardian Controls

We encourage all parents and guardians to monitor their children’s online activity. If you believe that your child has accessed or interacted with our site or services in violation of this policy, please contact us immediately at:

privacy@lustmonster.com
Subject: Minor Data Concern

We will respond to all verified reports involving minors within 7 business days and prioritize the investigation and removal of any associated data.

13.3 Educational and Geographic Considerations

We explicitly prohibit:

• Use of our site or purchase of any products in educational settings, school premises, or youth-oriented programs
• Shipping or marketing to known minor-associated addresses or institutions
• Inclusion of any LustMonster products in public or government-funded educational curricula, training kits, or therapeutic programs involving minors, without prior written legal clearance

13.4 Regulatory Compliance

This policy aligns with:

• Article 8 of the GDPR – which requires parental consent for processing personal data of children under 16 (or a lower age defined by member state law, but not below 13)
• COPPA (Children’s Online Privacy Protection Act) – which restricts data collection from users under 13 years of age in the United States
• Relevant UK and Canadian privacy laws, such as the UK Children’s Code and PIPEDA guidance on minors

We take these obligations seriously and update our practices regularly to remain compliant across jurisdictions.

1. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your browsing experience, understand visitor behavior, secure our platform, and deliver relevant content and marketing. By using our website, you consent (where required by law) to our use of these technologies, as outlined in this policy.

We comply with the EU ePrivacy Directive, General Data Protection Regulation (GDPR), UK Privacy and Electronic Communications Regulations (PECR), and other applicable laws regarding consent, data processing, and transparency.

14.1 What Are Cookies?

Cookies are small text files that a website stores on your device (computer, phone, tablet) when you visit. They allow us to recognize your browser, store preferences, manage sessions, and gather analytics data. Some cookies are essential for functionality, while others are used for analytics or advertising.

Cookies may be:

• Session-based – deleted after your browsing session ends
• Persistent – remain stored until they expire or are manually deleted
• First-party – set by LustMonster.com
• Third-party – set by external providers (e.g. analytics, payment providers)

14.2 Types of Cookies We Use

1. Strictly Necessary Cookies
   These cookies are essential for the website to function correctly. They enable basic features like:

• Navigating pages
• Securing user sessions
• Processing orders and checkout flow
• Preventing fraudulent activity

These cookies cannot be disabled via our cookie banner.

1. Preference Cookies
   These cookies store your choices, such as:

• Language selection
• Display settings
• Location-specific content
• Cookie consent preferences

They enhance your user experience but are not essential.

1. Analytics and Performance Cookies
   These help us understand how visitors use our site, which pages are popular, and where errors occur. Tools such as:

• Privacy-centric analytics (e.g., Plausible, Matomo, or Google Analytics with anonymization enabled)
• Session replay tools (if in use, with prior consent and masking enabled)

All analytics are configured to avoid storing personally identifiable information (PII) wherever possible.

1. Marketing and Retargeting Cookies
   Used to deliver personalized ads or measure ad effectiveness. This includes:

• Pixel tags from platforms such as Meta (Facebook), TikTok, or X
• Affiliate tracking cookies
• Email campaign tracking pixels (with consent only)

These cookies are disabled by default unless explicitly accepted by the user.

14.3 Cookie Consent and Control

Upon your first visit, you are presented with a cookie consent banner that allows you to:

• Accept all cookies
• Reject non-essential cookies
• Customize your preferences granularly

You can also adjust your settings at any time via the “Cookie Settings” link found in the footer of the website.

Your preferences are stored using a functional cookie valid for 6–12 months unless otherwise specified or cleared by you.

14.4 Managing Cookies from Your Browser

Most modern browsers allow users to:

• View stored cookies
• Delete specific or all cookies
• Block cookies entirely
• Enable "Do Not Track" (DNT) settings

Please note that disabling certain cookies may affect site functionality, such as login persistence, cart memory, or language preference.

14.5 Third-Party Providers

Where applicable, we integrate services from trusted third parties. These providers may set cookies under their own policies and legal jurisdictions. Examples include:

• Secure payment gateways (e.g. Stripe, PayPal – for tokenized payment authorization)
• Fraud prevention platforms
• Customer support chat systems (if active)
• Email delivery tools (e.g. for transactional or newsletter communication)

We ensure that all such providers are contractually bound by Data Processing Agreements (DPAs) and, where applicable, standard contractual clauses (SCCs) for international transfers.

14.6 International Data Transfers

If third-party cookies involve data transfer outside the EEA, we ensure adequate protection through:

• Jurisdictional adequacy decisions (e.g., UK, Canada)
• Valid legal mechanisms (e.g., SCCs, supplementary measures)
• Risk assessments based on guidance from the European Data Protection Board (EDPB)

14.7 Updates to This Policy

We may update our cookie policy periodically to reflect changes in legal requirements or technology usage.

Any changes will be communicated via an updated banner, and your preferences may be reset to ensure renewed consent.

1. Data Subject Rights

As a data subject under the General Data Protection Regulation (EU) 2016/679, the UK GDPR, and applicable global data protection laws, you are entitled to exercise specific rights concerning your personal data. LustMonster respects and facilitates the proper execution of these rights in accordance with legal obligations, operational feasibility, and security protocols.

We respond to all verified and legally admissible requests within 30 calendar days, extendable by an additional 30 days where legally justified (e.g., complex cases or multiple concurrent requests). Identity verification may be required to prevent fraudulent or unauthorized access.

15.1 Right of Access (Art. 15 GDPR)

You have the right to request confirmation as to whether we process your personal data and, if so, to obtain:

• A copy of the personal data we hold
• The purposes of processing
• Categories of personal data
• Recipients or categories of recipients
• Retention period or criteria used
• The source of data (if not provided by you)
• Details of automated decision-making, if applicable

This right excludes access to internal risk assessments, security architecture, or proprietary business logic.

15.2 Right to Rectification (Art. 16 GDPR)

If you believe that the personal data we hold about you is inaccurate, incomplete, or outdated, you have the right to request its correction. In some cases, we may request supporting documentation to verify the change (e.g., address or legal name updates).

15.3 Right to Erasure (“Right to Be Forgotten”) – Art. 17 GDPR

You may request the deletion of your personal data under specific conditions, such as when:

• The data is no longer necessary for the original purpose
• You withdraw your consent (where applicable)
• You object to processing and no overriding legitimate interest exists
• The data has been unlawfully processed
• Erasure is required to comply with a legal obligation

However, we may retain certain data where processing is required for:

• Compliance with tax, fraud, or accounting regulations
• Defense against legal claims
• Fulfillment of contractual obligations

15.4 Right to Restriction of Processing (Art. 18 GDPR)

You may request that we temporarily suspend processing of your data in specific circumstances:

• While contesting accuracy
• If processing is unlawful but you oppose erasure
• When we no longer need the data, but you require it for legal purposes
• When objecting to processing (pending legitimate interest assessment)

During restriction, your data is retained but not actively processed unless legally required.

15.5 Right to Data Portability (Art. 20 GDPR)

You are entitled to request your personal data in a structured, commonly used, machine-readable format (e.g., JSON, CSV) and, where feasible, to have it transmitted directly to another controller.

This right applies only when:

• The data was provided by you
• Processing is based on your consent or contract
• Processing is automated

15.6 Right to Object (Art. 21 GDPR)

You may object to our processing of your personal data where:

• Processing is based on legitimate interests or performance of a task in the public interest
• Processing is for direct marketing purposes, including profiling

We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, or where processing is necessary for legal claims.

You may opt out of marketing communications at any time by clicking the “unsubscribe” link in our emails or contacting us at:

???? privacy@lustmonster.com
Subject: Marketing Objection

15.7 Right Not to Be Subject to Automated Decision-Making (Art. 22 GDPR)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significant impact, unless:

• It is necessary for a contract
• You have given explicit consent
• It is authorized by applicable law

We currently do not engage in automated decision-making with legal or equivalent impact on users.

15.8 Right to Lodge a Complaint

If you believe we have violated your data protection rights, you may file a complaint with:

• Your local data protection authority (DPA)
• The Commission for Personal Data Protection (CPDP) in Bulgaria
• The ICO in the United Kingdom
• Any other competent authority based on your residency

We recommend contacting us first at privacy@lustmonster.com, so we can attempt to resolve the issue directly.

15.9 Users Outside the EEA, UK, US, and Canada

If you are located in a country not explicitly mentioned in this Privacy Policy, please note that your data protection rights and applicable legal frameworks may differ.

We encourage you to contact us at privacy@lustmonster.com to clarify how we handle data under your local jurisdiction. We will make reasonable efforts to accommodate any lawful request consistent with our internal capabilities and applicable laws.

1. Data Retention Policy

We retain personal data only for as long as is strictly necessary to fulfill the purposes outlined in this Privacy Policy, to comply with legal obligations, resolve disputes, enforce our agreements, and protect our legitimate business interests.

16.1 Retention Periods by Category

• Order and Transaction Data (e.g., name, address, order contents, payment method token):
  Retained for 7 years from the date of the last transaction to comply with financial, tax, and anti-fraud regulations.
• Customer Support Correspondence:
  Retained for 3 years from the last communication to ensure continuity of support, resolve potential disputes, or improve service quality.
• Marketing Consent Records and Preferences:
  Retained for as long as consent remains valid, or until opt-out is received. We log all opt-ins/opt-outs for audit purposes.
• Newsletter Activity and Site Usage Logs (anonymized):
  Retained for up to 24 months for analytics and business performance evaluation, in aggregated, non-identifiable form.
• Accounts without Purchases:
  Deleted or anonymized after 24 months of inactivity, unless legally required to retain for fraud prevention.
• Personal Data Under Legal Dispute or Regulatory Investigation:
  Retained until the dispute or investigation is formally closed, regardless of standard retention periods.

16.2 Data Deletion and Anonymization

Once retention periods expire, we take steps to either:

• Permanently delete the personal data from all active and backup systems, or
• Anonymize the data, rendering it non-personal and unusable for individual identification, in accordance with ISO/IEC 20889 standards.

Where automated data retention workflows are not available, manual reviews are conducted at least once annually to purge legacy data.

16.3 Exceptions

We reserve the right to extend retention for data involved in:

• Ongoing legal claims or disputes
• Internal fraud investigations
• National security inquiries
• Requirements imposed by tax authorities or courts

Final Provisions

This Privacy Policy is binding upon all users of LustMonster.com. By accessing or interacting with our website, placing an order, or submitting any personal data, you confirm that you:

• Have read and understood this Privacy Policy
• Accept the terms stated herein
• Consent to the processing, transfer, and storage of your data in accordance with applicable law

We reserve the right to modify this policy at any time, at our sole discretion, to reflect:

• Changes in law or regulation
• Modifications to our business practices, products, or data systems
• Security updates or compliance guidance from supervisory authorities

In the event of a material change, we will publish a notice on our homepage and, where applicable, notify users via email. Continued use of the site constitutes acceptance of the updated version.

Contact Information for All Privacy Matters
For requests, questions, or concerns relating to this Privacy Policy or your personal data:

privacy@lustmonster.com

LustMonster, Legal & Compliance Department
144 Fishponds Rd, Eastville, Bristol BS5 6PT, United Kingdom

This version is effective as of 01.01.2025 and supersedes all prior privacy statements.